Understand the differences between public key and symmetric key encryption

Data security is always a trade-off between transmission speed, and processing time--the quicker and faster you need to send information, the less secure its likely to be. Find out what youre trading off when you enable different types of encryption across a Windows 2000 network.

These days it seems that concern over network security is at an all time high. Because of this, it's important to understand what's really happening when you encrypt your data. You might have assumed that when you enable encryption, a single type of encryption is at work. However, you're actually using two types of encryption. In this article, I'll introduce you to these two types of encryption and explain how they work together.

One key, two keys

Most people assume that the various public key infrastructures use strictly public key technology. This isn't the case. Many of the functions used within the Windows 2000 implementation of public key encryption use both public key and symmetric key encryption algorithms. To understand why this is the case, it's necessary to understand a little bit about how each encryption technology works.

Symmetric key encryption involves using a single key to encrypt and decrypt data. For example, suppose that you took a document and placed it in a file cabinet and then locked the cabinet with a key. For you or anyone else to access the document, you'd need the key to the file cabinet. Generally speaking, symmetric key encryption is fast and secure. On the other hand, symmetric key encryption works well locally, it doesn't work very well across networks. In order for the receiver of the encrypted packets to be able to decrypt the packets, they must use the key. Needless to say, this means that you must send them that key along with the message. The other problem is that the physical medium you're sending the packets across is insecure. If it were secure, there would be no reason to encrypt the message in the first place. Anyone who might be monitoring the network could steal the encrypted packets and the key necessary for decrypting them.

Public key encryption on the other hand uses a pair of keys: a public key that's sent along with the message and a private key which is always in the possession of the recipient. The private key is based on a derivative of the public key and only the two keys working together can decrypt the packets. Because the private key is never sent across the network, it remains secure. The down side of public key encryption is that it tends to be very slow and resource intensive. This makes it difficult to send large amounts of data using public key encryption.

Mix and match

Because of the nature of the two types of keys, Windows 2000 uses a mixture of the two types of encryption for many operations. The idea is to encrypt the data itself using symmetric key encryption. This means that the data can be sent quickly and without hogging all of the available resources. The encryption key is then sent in a packet encrypted using the public key algorithm. This means that when the recipient receives the encrypted packets, they must wait for the key to arrive. When the key arrives, they use their private key and the attached public key to decrypt the package. Once the package has been decrypted, the recipient is free to use the symmetric key that it contains to decrypt the main data.

The entire process is similar to activating a new credit card received in the mail. The credit card company mails you the card and the activation code separately. Before you can use the card, you must receive the activation code and then either activate it over the phone or in an ATM machine to validate the card.

As you can see, using a combination of two types of encryption combines the best of both worlds. You get the speed of symmetric key encryption combined with the security of public key encryption. This combination allows secure Windows 2000 transactions to take place with maximum efficiency and security. //

Brien M. Posey is an MCSE who works as a freelance writer. His past experience includes working as the Director of Information Systems for a national chain of health care facilities and as a network engineer for the Department of Defense. Because of the extremely high volume of e-mail that Brien receives, it's impossible for him to respond to every message, although he does read them all.